Drive-by downloads are malware infections that are automatically delivered to website visitors’ systems without those visitors having to take any action at all – not even a click on a link is required to deliver the kind of infection that can steal passwords, bank account information and more.
This transience means that any user relying on security software that derives its protection from traditional virus signatures or from centralised periodic scans of the millions of sites active on the web at any given time is completely unprotected at that crucial time when they visit a site poisoned with one of these transient infections. Drilling further into the data, tracking specific types of infections, the company has found that:
* 94 percent of sites distributing ‘fake codec’ attacks – when the user is offered a codec, or video conversion tool, in order to view or download a particular video but is in reality a piece of malware – are usually active for less than 10 days, with 62 percent active for less than one day. See Illustration A below for a visual that shows this dramatic drop-off rate
* 91 percent of sites distributing attacks from China – frequently stealing seemingly-harmless items like World of Warcraft game passwords which can be resold on sites like eBay for hard currency – are typically active for less than 12 days, with almost 50 percent active for less than one day.
* 72 percent of sites distributing fake anti-spyware products that in fact deposit spyware onto the user’s machine and then offer to remove it for a fee are active on average for less than two weeks, with 28 percent active for less than one day.
Figure A: Drop-off in days active for fake codec attacks
There are a few other interesting interrelationships that give insight to how these criminals operate. In one example, the data shows that criminals using fake codec attacks use 4.6 times as many unique pages as do criminals employing a fake anti-spyware attack. However, the data also shows that fake anti-spyware attacks affect 68 percent more users than fake codec attacks. This suggests that the fake anti-spyware attack is generally more effective than the fake codec attack – and also much more evasive to centralized periodic scanning solutions.
According to AVG Technologies’ CEO J.R. Smith, “the hallmark of today’s web-borne infections is ‘here today, gone tomorrow’. Any web security product that relies on visiting and scanning websites to deliver a relative safety rating to it users would have to visit every one of the hundreds of millions of sites on the Internet every day to provide protection against these threats. Our recent acquisition of Sana Security’s behavioral analysis technology adds another important layer of protection against new and unknown threats.”
The rate of appearance of these ‘here today, gone tomorrow sites’ is also increasing – in just the past three months, AVG researchers have seen the average number of unique new infective sites that appear growing from 100,000-200,000 a day to 200,000-300,000 a day, a pattern that looks set to continue. Chart available on request to email@example.com.
It appears that the unique URL counts are rising in part because cybercriminals are making more use of query string tokens to target individual users, a disturbing trend that AVG researchers are investigating further.
Of course, the use of the Internet as a way to distribute infections is nothing new – attackers have been trying for years to get unsuspecting users to download programs that will steal valuable information and then ‘phone home’ that information to hackers. What’s new is that organized crime is now making use of malware purchased from hackers on one of the many online ‘malware markets’ in existence today, and carefully selecting an untraceable mechanism, such as syndicated randomized banner ad placement, to distribute their lures.
Transient, rapidly-changing information is also a hallmark of social networks, and cybercriminals have found fertile territory in messages or bulletins from ‚friends‘ that direct users to malicious sites, which, again, download infective malware in the background. Links to user-generated music or video may ask visitors to download one of those fake codecs – something that does not seem unreasonable in the circumstances – but which carries a hidden threat.
AVG Technologies’ Chief Research Officer Roger Thompson notes three key factors that make it particularly difficult for security companies to track and detect these types of threats: “Firstly, it takes a long time to detect and close down threats distributed in random rotation across thousands of different pages on a large social networking or other extensive site. Secondly, the threat is usually short-lived – a malicious program delivered through a popular site does not need to run for long to lure a large number of victims. And thirdly, the Internet is so large that scanning every web page for a threat that may only be present for a few hours or days is simply not feasible.
“And to make matters worse, the more sophisticated attackers know how to hide from roving scanners: they identify the IP addresses used by these scanners and make sure not to show themselves when those IP addresses come calling. But of course, none of that is actually relevant to the people who get infected during those few critical hours.”
AVG takes a different approach to protecting users against these insidious threats. The company’s Exploit Prevention Labs research brings together data from multiple sources to add a vital layer of real-time protection to all AVG products on top of the company’s core signature-based malware detection technology. This additional protection will now be extended further with the acquisition of the Sana Security identity protection and behavior analysis technology.
Thompson believes this layered approach is vital to the provision of timely protection. “If a site contains one bad thing, it might easily contain multiple bad things – and usually does. By bringing together multiple data sources and watching how all the various elements interact with each other, we’re able to build a very complete picture of individual threats.
“It’s important to understand that it is no longer feasible to provide protection against every individual virus out there – our labs are seeing tens of thousands of new viruses every day. So what we do is look at the behavior of these threats – which is a much more manageable task because there are far fewer different ways in which the threats are delivered. It’s rather like detecting letter bombs – we get enough data from our research to be able to identify a threat (the bomb) by the delivery mechanism (the envelope enclosing the bomb), so we don’t need to open the envelope, thus risking the user’s data by causing the bomb to go off.”
AVG security software provides the most timely, precise and reliable safe searching and surfing protection by analyzing web pages at the only time it matters – when the user is about to visit them. AVG offers the industry’s only real-time web exploit detection and prevention, using proprietary behavioral analysis and other breakthrough technologies to protect personal information and defend against unwanted intrusions while users are on the web.